Smaller government agencies face major cybersecurity risks

By now it is well established that the U.S. government needs to improve its cybersecurity capabilities. Frequently, these concerns center on the Department of Homeland Security, Department of Defense and other major agencies. However, as a recent report from the Government Accountability Office highlighted, smaller agencies are particularly vulnerable to digital threats and need a significant boost to their data protection capabilities.

Small agencies, big threats
The GAO report analyzed cybersecurity capabilities and privacy standards at government agencies with 6,000 or fewer total employees. Ultimately, the GAO determined that both the Office of Management and Budget and the DHS must increase their efforts to monitor the smaller agencies' implementation of federally mandated security measures. This is largely due to the fact that many smaller agencies have had only mixed success in terms of keeping pace with these regulations.

According to the GAO, superior cybersecurity efforts among these organizations are essential because these agencies, while smaller in size, are just as important as larger departments in terms of network security and privacy controls.

"Small agencies … like large agencies, place a great deal of sensitive information on their systems and, if not properly protected, they are at risk from the growing and evolving threats to the systems and networks that support federal operations," the GAO report stated. "These growing and evolving threats can potentially affect all segments of our society, including individuals, private businesses, government agencies and other entities."

Action needed
The report noted that both the DHS and OMB have offered guidance and assistance for smaller agencies to help them with their cybersecurity efforts. Yet despite this, a large number of these departments have not taken advantage of such opportunities.

Consequently, the report recommended a more active, engaged approach. This should include the OMB reporting directly on every smaller agency's implementation experiences.

"Until OMB and DHS oversee agencies' implementation of information security and privacy program requirements and provide additional assistance, small agencies will continue to face challenges in protecting their information and information systems," the GAO report concluded.

However, the onus should not rest entirely on the OMB and DHS. Small agency leaders must also take action to protect their organizations from cyberthreats. To this end, robust protection plans are critical. Decision-makers should assess their current abilities and, if necessary, turn to third-party consultants or other experts to help upgrade their capabilities. While budgets are stringent, the potential cost of a data breach is too great to ignore.